MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2534eecca5ed157444298473d7c9c82d9def5b0a93ac581b75dede2f1a0c0a56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2534eecca5ed157444298473d7c9c82d9def5b0a93ac581b75dede2f1a0c0a56
SHA3-384 hash: ba9b0e2bf6dca71315e6ebffdd8a15e487b2ceffc4da7ebe81da3cecd98e388c44c258b0e7be367c75aa94e2ebb50429
SHA1 hash: 463c20d755a29323e8994d8edd2c1984c403611b
MD5 hash: e957c04fe7176fc386d68f693293a2b7
humanhash: bravo-idaho-hotel-bacon
File name:2534EECCA5ED157444298473D7C9C82D9DEF5B0A93AC5.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:13'694'976 bytes
First seen:2021-11-23 06:16:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 196608:LjwTp0DiOLxQWotWiiqLct1sFIfPF0ePIdjS2ZrfMmRZ28PsQzMPQS:LMumWkWijotuIfNCdjSS7M4PsjH
TLSH T1B5D63312B7DDDA20C77262F3BA56B705AE7F38254920B5172FB42D3AF9C01116D2C6A3
File icon (PE):PE icon
dhash icon 60d4f8bab296ba72 (1 x RemoteManipulator)
Reporter abuse_ch
Tags:exe RemoteManipulator


Avatar
abuse_ch
RemoteManipulator C2:
95.213.205.83:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.213.205.83:5655 https://threatfox.abuse.ch/ioc/253280/

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2534EECCA5ED157444298473D7C9C82D9DEF5B0A93AC5.exe
Verdict:
No threats detected
Analysis date:
2021-11-23 06:19:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/921437b5-c49d-40bf-928a-6e2622685c42

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.19347.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
Deleting a system file
Unauthorized injection to a recently created process
Launching a tool to kill processes
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit coinminer greyware hacktool keylogger packed
Link:
https://www.filescan.io/uploads/619c8760f36138de3f366a90/reports/d719e0ef-e05c-474a-9679-deba4f3e9748/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/99c7d9ee-d528-48e7-b3a4-6598af3779d2
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/894424
Signature
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to hide user accounts
Detected unpacking (changes PE section rights)
Disable Task List ballon tips (likely to surpress security warnings)
Disables UAC (registry)
Drops PE files with benign system names
Found strings related to Crypto-Mining
Hides threads from debuggers
Machine Learning detection for dropped file
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Uses cmd line tools excessively to alter registry or file data
Wscript starts Powershell (via cmd or directly)
Yara detected BatToExe compiled binary
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 526902 Sample: 2534EECCA5ED157444298473D7C... Startdate: 23/11/2021 Architecture: WINDOWS Score: 100 114 Antivirus detection for dropped file 2->114 116 Multi AV Scanner detection for dropped file 2->116 118 Multi AV Scanner detection for submitted file 2->118 120 9 other signatures 2->120 11 2534EECCA5ED157444298473D7C9C82D9DEF5B0A93AC5.exe 18 2->11         started        15 svchost.exe 2->15         started        17 svchost.exe 2->17         started        19 5 other processes 2->19 process3 file4 104 C:\ProgramData\System32\logs\svchost.exe, PE32+ 11->104 dropped 106 C:\ProgramData\Microsoft\Intel\winit.exe, PE32 11->106 dropped 108 C:\ProgramData\Microsoft\Intel\vbs.exe, PE32 11->108 dropped 110 4 other files (1 malicious) 11->110 dropped 146 Drops PE files with benign system names 11->146 21 Cheat.exe 15 11->21         started        25 winit.exe 6 11->25         started        27 vbs.exe 3 7 11->27         started        148 Changes security center settings (notifications, updates, antivirus, firewall) 15->148 signatures5 process6 file7 80 C:\ProgramData\Microsoft\Intel\winlogon.exe, PE32 21->80 dropped 82 C:\ProgramData\Microsoft\Intel\taskhost.exe, PE32 21->82 dropped 84 C:\ProgramData\Microsoft\Intel\svchost.exe, PE32 21->84 dropped 88 7 other files (6 malicious) 21->88 dropped 122 Multi AV Scanner detection for dropped file 21->122 124 Drops PE files with benign system names 21->124 29 svchost.exe 21->29         started        86 C:\ProgramData\Microsoft\Intel\smss.exe, PE32+ 25->86 dropped 32 smss.exe 6 25->32         started        34 cmd.exe 1 27->34         started        36 wscript.exe 27->36         started        signatures8 process9 signatures10 150 Antivirus detection for dropped file 29->150 152 Binary is likely a compiled AutoIt script file 29->152 38 R.exe 29->38         started        42 winlogon.exe 29->42         started        45 R8.exe 29->45         started        53 2 other processes 29->53 154 Detected unpacking (changes PE section rights) 32->154 156 Machine Learning detection for dropped file 32->156 158 Hides threads from debuggers 32->158 47 cmd.exe 1 32->47         started        49 conhost.exe 34->49         started        51 timeout.exe 1 34->51         started        process11 dnsIp12 90 C:\ProgramData\Install\R.exe, PE32 38->90 dropped 92 C:\ProgramData\Install\st.bat, ASCII 38->92 dropped 126 Multi AV Scanner detection for dropped file 38->126 55 wscript.exe 38->55         started        112 192.168.2.1 unknown unknown 42->112 128 Machine Learning detection for dropped file 42->128 58 cmd.exe 42->58         started        94 C:\rdp\Rar.exe, PE32 45->94 dropped 130 Antivirus detection for dropped file 45->130 132 Wscript starts Powershell (via cmd or directly) 47->132 134 Uses cmd line tools excessively to alter registry or file data 47->134 60 reg.exe 47->60         started        62 reg.exe 47->62         started        64 conhost.exe 47->64         started        68 14 other processes 47->68 96 C:\ProgramData\Microsoft\temp\H.bat, ASCII 53->96 dropped 98 C:\ProgramData\Microsoft\temp\Clean.bat, ISO-8859 53->98 dropped 100 C:\Users\user\AppData\Local\Temp\...\M.exe, PE32 53->100 dropped 66 wscript.exe 53->66         started        file13 signatures14 process15 signatures16 136 Wscript starts Powershell (via cmd or directly) 58->136 70 powershell.exe 58->70         started        74 conhost.exe 58->74         started        138 Disable Task List ballon tips (likely to surpress security warnings) 60->138 140 Changes the view of files in windows explorer (hidden files and folders) 60->140 76 cmd.exe 60->76         started        142 Disables UAC (registry) 62->142 process17 file18 102 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 70->102 dropped 144 Modifies Group Policy settings 70->144 78 conhost.exe 76->78         started        signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2534eecca5ed157444298473d7c9c82d9def5b0a93ac581b75dede2f1a0c0a56/
Threat name:
Win32.Backdoor.RemoteManipulator
Create hunting rule
Status:
Malicious
First seen:
2018-02-03 00:41:10 UTC
File Type:
PE (Exe)
Extracted files:
62
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eu2o5tff5ukxirbjqrz5psoifwo66wyksowfqg3v33pc6gqmbjla._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:rms family:xmrig aspackv2 discovery evasion exploit miner persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/211123-g12wjsced3/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Runs .reg file with regedit
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
autoit_exe
Modifies WinLogon
Cryptocurrency Miner
Deletes itself
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocks application from running via registry modification
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall
Possible privilege escalation attempt
Sets DLL path for service in the registry
Sets file to hidden
Stops running service(s)
UPX packed file
Detected Stratum cryptominer command
Grants admin privileges
XMRig Miner Payload
Modifies Windows Defender Real-time Protection settings
RMS
UAC bypass
Windows security bypass
xmrig
Unpacked files
SH256 hash:
b40a7216417076622bab6c9a341683eaacf5295d1103d115e5a57aede23c8bbe
MD5 hash:
9f1102989d5ae366cc8393defda99738
SHA1 hash:
afdf658cd4f1718b3722f3fa8d111c9e3b97bef5
Link:
https://www.unpac.me/results/224a44bc-565b-4fa2-8194-8570811a1d1a/
SH256 hash:
e642214f57c45dcb2ff1364df0700775af87c8f48266c62fe4e400222b57ceca
MD5 hash:
685cc2d350eebab90ad92a624a3daf68
SHA1 hash:
783a6280715e3f59355509d9839477dcd00d1fc7
Link:
https://www.unpac.me/results/224a44bc-565b-4fa2-8194-8570811a1d1a/
SH256 hash:
d3cd81e52a4a2995ee3f6dd5cf2338f668bf02b81ae170ff0c93481d5886b755
MD5 hash:
e36f35afd7cb0e833731fab77d4dedec
SHA1 hash:
8928351b8b45a547d64dec81bf3c7017d253d676
Link:
https://www.unpac.me/results/224a44bc-565b-4fa2-8194-8570811a1d1a/
SH256 hash:
5ea4a860c596e698c25a2779015fbe7da30feae503225a3ab0d204ef1c5fc779
MD5 hash:
280b052e0c53f041fbef8e2c3b60fbfc
SHA1 hash:
fed89539761018fea358f4e9ebc2ef32afd0dd75
Link:
https://www.unpac.me/results/224a44bc-565b-4fa2-8194-8570811a1d1a/
SH256 hash:
ea2f8acef0120d3fb687f2e69a34d8b7a2ddaa4e7cf9f9ec8c87bc08ec2902d6
MD5 hash:
d6742616bb4ddf5a36471fa6e0a0e856
SHA1 hash:
e5e3e9976a13d037d5ccaa230adffaf1415f7424
Detections:
win_koadic_auto
Create hunting rule
Link:
https://www.unpac.me/results/224a44bc-565b-4fa2-8194-8570811a1d1a/
SH256 hash:
70002e53d5a8cb460dbda43ec25c91e220a14f899a0a80e8021a482555b8d6bf
MD5 hash:
4c9e4cd4cf447e393be14d30111dca2a
SHA1 hash:
faee266da95df0e7b281577fbe550893217cc303
Link:
https://www.unpac.me/results/224a44bc-565b-4fa2-8194-8570811a1d1a/
SH256 hash:
850319e3fb6dd0ff7e99c6823cc662eabbfa2028a7b050fe1da419273030c91c
MD5 hash:
680ea29cf32ac2644dbc3a48edb7cac1
SHA1 hash:
06708361c1a50e5f376a307d54c575f412af9a11
Link:
https://www.unpac.me/results/224a44bc-565b-4fa2-8194-8570811a1d1a/
SH256 hash:
1fd6d77ae35f3e38e44d0cf92c541ba31b72dcd7410b9859dc0b9b861074a9f1
MD5 hash:
2b848a57a38b820f157f3863ab3b8064
SHA1 hash:
614e5fbc0f7a5c832ef05c7d58cb55674e744930
Detections:
win_rms_a0
Create hunting rule
win_rms_auto
Create hunting rule
Link:
https://www.unpac.me/results/224a44bc-565b-4fa2-8194-8570811a1d1a/
SH256 hash:
2828e48e3dd8444d9e874dada2cdbe4e3a2b8cba16c673121d5cb36aab523de2
MD5 hash:
e98b20c82045b8005b4fa36780fbbe24
SHA1 hash:
fcdcb3d7e3449b41e43640281e7e3daf3b5c7563
Link:
https://www.unpac.me/results/224a44bc-565b-4fa2-8194-8570811a1d1a/
SH256 hash:
2534eecca5ed157444298473d7c9c82d9def5b0a93ac581b75dede2f1a0c0a56
MD5 hash:
e957c04fe7176fc386d68f693293a2b7
SHA1 hash:
463c20d755a29323e8994d8edd2c1984c403611b
Link:
https://www.unpac.me/results/224a44bc-565b-4fa2-8194-8570811a1d1a/
Malware family:
XMRIG
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2534eecca5ed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2534eecca5ed157444298473d7c9c82d9def5b0a93ac581b75dede2f1a0c0a56

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_DustSquad_PE_Nov19_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:APT_DustSquad_PE_Nov19_2
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_PE_ResourceTuner
Create hunting rule
Author:ditekSHen
Description:Detects executables with modified PE resources using the unpaid version of Resource Tuner
Rule name:MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Author:ditekSHen
Description:RemoteUtilitiesRAT RAT payload
Rule name:SR_APT_DustSquad_PE_Nov19
Create hunting rule
Author:Arkbird_SOLG
Description:Super Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:win_rms_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments